A pair of app developers settled with the Federal Trade Commission after being accused of violating the Children's Online Privacy Protection Act. This was the agency's first case alleging that companies allowed third party advertisers to use persistent identifiers to serve ads to children in violation of COPPA.
When updates to COPPA took effect in July 2013, the agency added persistent identifiers to the list of personal information protected by the statute, joining data such as names, addresses, telephone numbers, online contact information, photographs, and videos with a child's image or voice, and geolocation information. The modified COPPA Rule defined "persistent identifiers" to include a customer number held in a cookie, an Internet Protocol address, a processor or device serial number, or a unique device identifier.
But child-directed apps developed and marketed by LAI Systems and Retro Dreamer—such as My Cake Shop, Friday Night Makeover, Ice Cream Jump, and Cat Basket—permitted third-party advertisers to collect personal information from children in the form of persistent identifiers, the FTC alleged. The agency said the apps were clearly child-directed as they contained brightly colored animated characters and provided children a platform to create images of cakes and pizzas and play dress-up.
In addition, the agency said the defendants (including two principals at Retro Dreamer) failed to inform the ad networks that the apps were directed to children and failed to obtain consent from the children's parents for collecting and using the information. The FTC alleged that one ad network even cautioned Retro Dreamer about its obligations under COPPA in 2013 and 2014, noting that the company appeared to be violating the statute because its apps were intended for use by children under the age of 13.
To settle the suits, LAI agreed to pay $60,000 in civil penalties, while Retro Dreamer will pay $300,000. Both defendants must also comply with all COPPA requirements going forward by ensuring that verifiable parental consent has been obtained before collecting, using, or disclosing children's personal information, and by posting understandable privacy policies on their sites explaining their information collection practices.
To read the complaint and stipulated order in U.S. v. LAI Systems, Inc., click here.
To read the complaint and stipulated order in U.S. v. Retro Dreamer, click here.
Why it matters: The actions—the agency's first targeting of the use of persistent identifiers to serve ads to kids—signal the FTC's intent to aggressively enforce COPPA. "It's vital that companies understand the rules of the road when it comes to handling children's personal information online," Jessica Rich, Director of the FTC's Bureau of Consumer Protection, said in a statement about the actions. "These cases make it clear that we're closely watching this space to ensure children's privacy online is being protected."